Code review

Last updated
Software Engineers (a.k.a. programmers) reviewing a program Pair Programming 3.jpg
Software Engineers (a.k.a. programmers) reviewing a program

Code review (sometimes referred to as peer review) is a software quality assurance activity in which one or more people examine the source code of a computer program, either after implementation or during the development process. The persons performing the checking, excluding the author, are called "reviewers". At least one reviewer must not be the code's author. [1] [2]

Contents

Code review differs from related software quality assurance techniques like static code analysis,self-checks, testing, and pair programming. Static analysis relies primarily on automated tools, self-checks involve only the author, testing requires code execution, and pair programming is performed continuously during development rather than as a separate step. [1]

Goal

Although direct discovery of quality problems is often the main goal, [3] code reviews are usually performed to reach a combination of goals: [4] [5]

Review types

Several variations of code review processes exist, with additional types specified in IEEE 1028. [6]

Inspection (formal)

Historically, the first code review process that was studied and described in detail was called "Inspection" by its inventor, Michael Fagan. [7] Fagan inspection is a formal process that involves a careful and detailed execution with multiple participants and phases. In formal code reviews, software developers attend a series of meetings to examine code line by line, often using printed copies. Research has shown formal inspections to be extremely thorough and highly effective at identifying defects. [7]

Regular change-based code review (Walk-throughs)

In recent years,[ when? ] many industry teams have adopted a lighter-weight review process in which the scope of each review is on the changes to the codebase performed in a ticket, user story, commit, or some other unit of work. [8] [3] Furthermore, there are rules or conventions that integrate the review task into the development workflow through conventions like mandatory review of all tickets, commonly as part of a pull request, instead of explicitly planning each review. Such a process is called "regular, change-based code review". [1] There are many variations of this basic process. A 2017 survey of 240 development teams found that 90% of teams using code review followed a change-based process, with 60% specifically using regular change-based review. [3] Major software corporations including such as Microsoft, [9] Google, [10] and Facebook follow a change-based code review process.

Efficiency and effectiveness

Ongoing research by Capers Jones analyzing over 12,000 software development projects found formal inspections had a latent defect discovery rate of 60-65%, while informal inspections detected fewer than 50% of defects. The latent defect discovery rate for most forms of testing is about 30%. [11] [12] A code review case study published in the book Best Kept Secrets of Peer Code Review contradicted the Capers Jones study, [11] finding that lightweight reviews can uncover as many bugs as formal reviews while being more efficient in terms of cost and money [13]

Studies indicate that up to 75% of code review comments affect software evolvability and maintainability rather than functionality, [14] [15] [4] [16] suggesting that code reviews are an excellent tool for software companies with long product or system life cycles. [17] Therefore, less than 15% of issues discussed in code reviews relate directly to bugs. [18]

Guidelines

Research indicates review effectiveness correlates with review speed. Optimal code review rates range from 200 to 400 lines of code per hour. [19] [20] [21] [22] Inspecting and reviewing more than a few hundred lines of code per hour for critical software (such as safety critical embedded software) may be too fast to find errors. [19] [23]

Supporting tools

Static code analysis software assist reviewers by automatically checking source code for known vulnerabilities and defect patterns, particularly for large chunks of code. [24] A 2012 study by VDC Research reports that 17.6% of the embedded software engineers surveyed currently use automated tools to support peer code review and 23.7% planning to use them within two years. [25]

See also

Related Research Articles

In computer science, static program analysis is the analysis of computer programs performed without executing them, in contrast with dynamic program analysis, which is performed on programs during their execution in the integrated environment.

<span class="mw-page-title-main">Software testing</span> Checking software against a standard

Software testing is the act of checking whether software satisfies expectations.

A Fagan inspection is a process of trying to find defects in documents during various phases of the software development process. It is named after Michael Fagan, who is credited with the invention of formal software inspections.

In the context of software engineering, software quality refers to two related but distinct notions:

Software visualization or software visualisation refers to the visualization of information of and related to software systems—either the architecture of its source code or metrics of their runtime behavior—and their development process by means of static, interactive or animated 2-D or 3-D visual representations of their structure, execution, behavior, and evolution.

Software assurance (SwA) is a critical process in software development that ensures the reliability, safety, and security of software products. It involves a variety of activities, including requirements analysis, design reviews, code inspections, testing, and formal verification. One crucial component of software assurance is secure coding practices, which follow industry-accepted standards and best practices, such as those outlined by the Software Engineering Institute (SEI) in their CERT Secure Coding Standards (SCS).

In software development, peer review is a type of software review in which a work product is examined by author's colleagues, in order to evaluate the work product's technical content and quality.

A software review is "a process or meeting during which a software product is examined by a project personnel, managers, users, customers, user representatives, or other interested parties for comment or approval".

Quality engineering is the discipline of engineering concerned with the principles and practice of product and service quality assurance and control. In software development, it is the management, development, operation and maintenance of IT systems and enterprise architectures with high quality standard.

Search-based software engineering (SBSE) applies metaheuristic search techniques such as genetic algorithms, simulated annealing and tabu search to software engineering problems. Many activities in software engineering can be stated as optimization problems. Optimization techniques of operations research such as linear programming or dynamic programming are often impractical for large scale software engineering problems because of their computational complexity or their assumptions on the problem structure. Researchers and practitioners use metaheuristic search techniques, which impose little assumptions on the problem structure, to find near-optimal or "good-enough" solutions.

DevOps is a methodology in the software development and IT industry. Used as a set of practices and tools, DevOps integrates and automates the work of software development (Dev) and IT operations (Ops) as a means for improving and shortening the systems development life cycle. DevOps is complementary to agile software development; several DevOps aspects came from the agile way of working.

Continuous delivery (CD) is a software engineering approach in which teams produce software in short cycles, ensuring that the software can be reliably released at any time. It aims at building, testing, and releasing software with greater speed and frequency. The approach helps reduce the cost, time, and risk of delivering changes by allowing for more incremental updates to applications in production. A straightforward and repeatable deployment process is important for continuous delivery.

Software analytics is the analytics specific to the domain of software systems taking into account source code, static and dynamic characteristics as well as related processes of their development and evolution. It aims at describing, monitoring, predicting, and improving the efficiency and effectiveness of software engineering throughout the software lifecycle, in particular during software development and software maintenance. The data collection is typically done by mining software repositories, but can also be achieved by collecting user actions or production data.

Development testing is a software development process that involves synchronized application of a broad spectrum of defect prevention and detection strategies in order to reduce software development risks, time, and costs.

A software map represents static, dynamic, and evolutionary information of software systems and their software development processes by means of 2D or 3D map-oriented information visualization. It constitutes a fundamental concept and tool in software visualization, software analytics, and software diagnosis. Its primary applications include risk analysis for and monitoring of code quality, team activity, or software development progress and, generally, improving effectiveness of software engineering with respect to all related artifacts, processes, and stakeholders throughout the software engineering process and software maintenance.

<span class="mw-page-title-main">T.H. Tse</span> Hong Kong academic, professor and researcher

T.H. Tse is a Hong Kong academic who is a professor and researcher in program testing and debugging. He is ranked internationally as the second most prolific author in metamorphic testing. According to Bruel et al., "Research on integrated formal and informal techniques can trace its roots to the work of T.H. Tse in the mid-eighties." The application areas of his research include object-oriented software, services computing, pervasive computing, concurrent systems, imaging software, and numerical programs. In addition, he creates graphic designs for non-government organizations.

Software intelligence is insight into the inner workings and structural condition of software assets produced by software designed to analyze database structure, software framework and source code to better understand and control complex software systems in information technology environments. Similarly to business intelligence (BI), software intelligence is produced by a set of software tools and techniques for the mining of data and the software's inner-structure. Results are automatically produced and feed a knowledge base containing technical documentation and blueprints of the innerworking of applications, and make it available to all to be used by business and software stakeholders to make informed decisions, measure the efficiency of software development organizations, communicate about the software health, prevent software catastrophes.

Automatic bug-fixing is the automatic repair of software bugs without the intervention of a human programmer. It is also commonly referred to as automatic patch generation, automatic bug repair, or automatic program repair. The typical goal of such techniques is to automatically generate correct patches to eliminate bugs in software programs without causing software regression.

CodeSonar is a static code analysis tool from CodeSecure, Inc. CodeSonar is used to find and fix bugs and security vulnerabilities in source and binary code. It performs whole-program, inter-procedural analysis with abstract interpretation on C, C++, C#, Java, as well as x86 and ARM binary executables and libraries. CodeSonar is typically used by teams developing or assessing software to track their quality or security weaknesses. CodeSonar supports Linux, BSD, FreeBSD, NetBSD, MacOS and Windows hosts and embedded operating systems and compilers.

Static application security testing (SAST) is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities. Although the process of statically analyzing the source code has existed as long as computers have existed, the technique spread to security in the late 90s and the first public discussion of SQL injection in 1998 when Web applications integrated new technologies like JavaScript and Flash.

References

  1. 1 2 3 Baum, Tobias; Liskin, Olga; Niklas, Kai; Schneider, Kurt (2016). "A Faceted Classification Scheme for Change-Based Industrial Code Review Processes". 2016 IEEE International Conference on Software Quality, Reliability and Security (QRS). pp. 74–85. doi:10.1109/QRS.2016.19. ISBN   978-1-5090-4127-5. S2CID   9569007.
  2. Kolawa, Adam; Huizinga, Dorota (2007). Automated Defect Prevention: Best Practices in Software Management. Wiley-IEEE Computer Society Press. p. 260. ISBN   978-0-470-04212-0.
  3. 1 2 3 Baum, Tobias; Leßmann, Hendrik; Schneider, Kurt (2017). "The Choice of Code Review Process: A Survey on the State of the Practice". Product-Focused Software Process Improvement. Lecture Notes in Computer Science. Vol. 10611. pp. 111–127. doi:10.1007/978-3-319-69926-4_9. ISBN   978-3-319-69925-7.
  4. 1 2 Bacchelli, A; Bird, C (May 2013). "Expectations, outcomes, and challenges of modern code review" (PDF). Proceedings of the 35th IEEE/ACM International Conference On Software Engineering (ICSE 2013). Retrieved 2015-09-02.
  5. Baum, Tobias; Liskin, Olga; Niklas, Kai; Schneider, Kurt (2016). "Factors Influencing Code Review Processes in Industry". Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering - FSE 2016. pp. 85–96. doi:10.1145/2950290.2950323. ISBN   9781450342186. S2CID   15467294.
  6. IEEE Standard for Software Reviews and Audits. IEEE STD 1028-2008. August 2008. pp. 1–53. doi:10.1109/ieeestd.2008.4601584. ISBN   978-0-7381-5768-9.
  7. 1 2 Fagan, Michael (1976). "Design and code inspections to reduce errors in program development". IBM Systems Journal. 15 (3): 182–211. doi:10.1147/sj.153.0182.
  8. Rigby, Peter; Bird, Christian (2013). "Convergent contemporary software peer review practices". Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering. pp. 202–212. CiteSeerX   10.1.1.641.1046 . doi:10.1145/2491411.2491444. ISBN   9781450322379. S2CID   11163811.
  9. MacLeod, Laura; Greiler, Michaela; Storey, Margaret-Anne; Bird, Christian; Czerwonka, Jacek (2017). "Code Reviewing in the Trenches: Challenges and Best Practices" (PDF). IEEE Software. 35 (4): 34. doi:10.1109/MS.2017.265100500. S2CID   49651487 . Retrieved 2020-11-28.
  10. Sadowski, Caitlin; Söderberg, Emma; Church, Luke; Sipko, Michal; Baachelli, Alberto (2018). "Modern code review: A case study at google". Proceedings of the 40th International Conference on Software Engineering: Software Engineering in Practice. pp. 181–190. doi: 10.1145/3183519.3183525 . ISBN   9781450356596. S2CID   49217999.
  11. 1 2 Jones, Capers (June 2008). "Measuring Defect Potentials and Defect Removal Efficiency" (PDF). Crosstalk, The Journal of Defense Software Engineering. Archived from the original (PDF) on 2012-08-06. Retrieved 2010-10-05.
  12. Jones, Capers; Ebert, Christof (April 2009). "Embedded Software: Facts, Figures, and Future". Computer. 42 (4): 42–52. doi:10.1109/MC.2009.118. S2CID   14008049.
  13. Jason Cohen (2006). Best Kept Secrets of Peer Code Review (Modern Approach. Practical Advice.) . Smart Bear Inc. ISBN   978-1-59916-067-2.
  14. Czerwonka, Jacek; Greiler, Michaela; Tilford, Jack (2015). "Code Reviews do Not Find Bugs. How the Current Code Review Best Practice Slows Us Down". 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering (PDF). Vol. 2. pp. 27–28. doi:10.1109/ICSE.2015.131. ISBN   978-1-4799-1934-5. S2CID   29074469 . Retrieved 2020-11-28.
  15. Mantyla, M.V.; Lassenius, C. (2009). "What Types of Defects Are Really Discovered in Code Reviews?" (PDF). IEEE Transactions on Software Engineering. 35 (3): 430–448. CiteSeerX   10.1.1.188.5757 . doi:10.1109/TSE.2008.71. S2CID   17570489 . Retrieved 2012-03-21.
  16. Beller, M; Bacchelli, A; Zaidman, A; Juergens, E (May 2014). "Modern code reviews in open-source projects: which problems do they fix?" (PDF). Proceedings of the 11th Working Conference on Mining Software Repositories (MSR 2014). Retrieved 2015-09-02.
  17. Siy, Harvey; Votta, Lawrence (2004-12-01). "Does the Modern Code Inspection Have Value?" (PDF). unomaha.edu. Archived from the original (PDF) on 2015-04-28. Retrieved 2015-02-17.
  18. Bosu, Amiangshu; Greiler, Michaela; Bird, Chris (May 2015). "Characteristics of Useful Code Reviews: An Empirical Study at Microsoft" (PDF). 2015 IEEE/ACM 12th Working Conference on Mining Software Repositories. Retrieved 2020-11-28.
  19. 1 2 Kemerer, C.F.; Paulk, M.C. (2009-04-17). "The Impact of Design and Code Reviews on Software Quality: An Empirical Study Based on PSP Data". IEEE Transactions on Software Engineering. 35 (4): 534–550. doi:10.1109/TSE.2009.27. hdl: 11059/14085 . S2CID   14432409.
  20. "Code Review Metrics". Open Web Application Security Project. Archived from the original on 2015-10-09. Retrieved 9 October 2015.
  21. "Best Practices for Peer Code Review". Smart Bear. Smart Bear Software. Archived from the original on 2015-10-09. Retrieved 9 October 2015.
  22. Bisant, David B. (October 1989). "A Two-Person Inspection Method to Improve Programming Productivity". IEEE Transactions on Software Engineering. 15 (10): 1294–1304. doi:10.1109/TSE.1989.559782. S2CID   14921429 . Retrieved 9 October 2015.
  23. Ganssle, Jack (February 2010). "A Guide to Code Inspections" (PDF). The Ganssle Group. Retrieved 2010-10-05.
  24. Balachandran, Vipin (2013). "Reducing human effort and improving quality in peer code reviews using automatic static analysis and reviewer recommendation". 2013 35th International Conference on Software Engineering (ICSE). pp. 931–940. doi:10.1109/ICSE.2013.6606642. ISBN   978-1-4673-3076-3. S2CID   15823436.
  25. VDC Research (2012-02-01). "Automated Defect Prevention for Embedded Software Quality". VDC Research. Retrieved 2012-04-10.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.